July 30th, 2009 by s3ctrzr0
I like to thank Security B-Sides for inviting us to their con here in Vegas. We did cut out early to pick up our Defcon badges but we had the pleasure of meeting the gang and also another great security professional from Ireland, David Rook. You can check him out at his blog “Security Ninja Blog“.
It was great to hear the Chinese Proverb “Give a man a fish and you feed him for a day, teach a man to fish and you feed him for a lifetime” in a presentation that describes web application security. As David explained a new way of seeing this in action would sound like this “Teach a developer about vulnerability and he will prevent it, teach him how to develop securely and he will prevent many vulnerabilities”.
This got me off my seat and I was ready to get on the phone to my web developers, but that can wait till I get back to San Francisco.
As he mentions the common habits of application developers is to review and fix common vulnerabilities and that they should develop securely as a whole. David explains the principles of secure development and broke it down to 8 easy to digest categories:
- Input Validation
- Output Validation
- Error Handling
- Authorizations
- Session Management
- secure Communication
- Secure Storage
- Secure Resource Access
Please visit his blog for more great security habits on how to fish securely in web application development.
July 30th, 2009 by bl4ckc4t
BSides is an ad-hoc gathering of information security types born from the desire for people to share and learn in an open environment. It is an intense event with discussions, demos and interaction from participants.
During a break in BlackHat I recognized a familiar face Chris Nickerson a featured member of TruTV’s Tiger Team, a 30 minute reality television program showing the activities of actual penetration tests and active assessments. An uncertainty of who he was I approached him to view the name on his badge, but received a look from him as if I was going to harass him. After explaining my actions and a brief introduction we chuckled with amusement when he mentioned what his anticipated reactions were when I approached him.
After a brief conversation with Chris he mentioned that he is coordinating an event with Security B-Sides an event hosted as BSidesLasVegas and extended an invitation to us, which we gladly accepted pending the availability of seats at the event and we had to register to get on the list.
BSidesLasVegas is an alternative options for folks who visit for the after parties or never planned on attending the original conference. The forum was a small set hosted at a home with speakers in a round-table like environment. This setup allowed a small group of security enthusiast to interact in a smaller session with the presenters. The interaction and the networking of people in a casual gathering made it more effective to get involved. I was very thankful for having the opportunity to meet Chris and attend his event.
For individuals who are interested in attending this event in the future check out the Security B-Sides community Wiki to keep updated.
http://www.securitybsides.com/
July 30th, 2009 by s3ctrzr0
As the end was near for Black Hat for me and preparing for Defcon, another great session I did receive from another security researcher from Florida, Kostya Kortchinsky (Immunity, Inc). He presented a VMware guest to host escape story that showed me that the virtualization layer is truly not secure. He just focused on one area of the virtualization layer by exploiting the VMware SVGA II virtual driver and by injecting to frame buffer and SVGA FIFO memory spaces.
He did successfully exploit this abstract layer for remote execution. This just shows me that VMware need to practice what they preach on virtualization security with their developers. We did see this demo using VMware Workstation but looking into it deeper ESX 4 RC was reported vulnerable to this attack. I would highly recommend you check your ESX settings and make sure your virtual machines 3D acceleration settings is disabled, no need to run this on your guest machines that is hosted by VMware ESX Suite. I was glad to end my Black Hat session with a burst of knowledge.
July 30th, 2009 by bl4ckc4t
The day started with a hurry up haul to the Riviera Hotel to face the line for registration. Every year the event attracts thousands of security enthusiast from around the world and with that amount of people attending a single event you know the line is going to be a nightmare. I experienced this first hand 2 years ago during my first attendance and learned to show up early to start camping in the line every attendance.
Defcon is known to deliver the best of the best breed of speakers and activities surrounding the realm of security information. On top of the information every year they issue unique badges with capabilities for modifications to allow certain functions. Last years badge was equipped with a remote control function and other capabilities that with a little bit of hardware programming knowledge can unlock them
With the high demand of these badges, they ran out early during the registration last year and had to issue temporary badges until more were shipped in. With that experience attendees made sure they got in line early this year, but only to be presented with the reverse outcome. The early birds were now the ones handed temporary badges because the badges were still in route and the later folks received them instead.
The bulk of morning was the line standing for registration and standing in line again to swap for the permanent badges. From the registration line to the swag line was the game plan for pre-Defcon to get it out of the way and prepare for next 3 days of sessions.
Dark Tangent continues to go all out for this event even through the economic slow down and his recent recruitment as one of the Homeland Security Advisor Councils (HSAC). I look forward to the deliverance of this conference and will keep you posted on the events.
July 29th, 2009 by s3ctrzr0
Douglas C. Merrill was the COO of New Music for EMI Records and the President of EMI’s Digital Business from 2008 to 2009. In those roles, he was responsible for the operation of the new music creation business, and led all of EMI’s digital strategy.
It was exciting to hear a experienced contributor of innovation that did express Security Professionals to stop hindering innovation. He also sees that employees do want to participate with information security exactly what I am also experiencing in many industries. I am looking forward to more insight from him and looking forward to his to ventures. Day one here in Black Hat has been a definite knowledge overload and looking forward to Day two.
